Skip to content

new restriction lint: pointer_format #14792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

new restriction lint: pointer_format #14792

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6162,6 +6162,7 @@ Released 2018-09-13
[`pathbuf_init_then_push`]: https://rust-lang.github.io/rust-clippy/master/index.html#pathbuf_init_then_push
[`pattern_type_mismatch`]: https://rust-lang.github.io/rust-clippy/master/index.html#pattern_type_mismatch
[`permissions_set_readonly_false`]: https://rust-lang.github.io/rust-clippy/master/index.html#permissions_set_readonly_false
[`pointer_format`]: https://rust-lang.github.io/rust-clippy/master/index.html#pointer_format
[`pointers_in_nomem_asm_block`]: https://rust-lang.github.io/rust-clippy/master/index.html#pointers_in_nomem_asm_block
[`positional_named_format_parameters`]: https://rust-lang.github.io/rust-clippy/master/index.html#positional_named_format_parameters
[`possible_missing_comma`]: https://rust-lang.github.io/rust-clippy/master/index.html#possible_missing_comma
Expand Down
1 change: 1 addition & 0 deletions clippy_lints/src/declared_lints.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ pub static LINTS: &[&crate::LintInfo] = &[
crate::floating_point_arithmetic::SUBOPTIMAL_FLOPS_INFO,
crate::format::USELESS_FORMAT_INFO,
crate::format_args::FORMAT_IN_FORMAT_ARGS_INFO,
crate::format_args::POINTER_FORMAT_INFO,
crate::format_args::TO_STRING_IN_FORMAT_ARGS_INFO,
crate::format_args::UNINLINED_FORMAT_ARGS_INFO,
crate::format_args::UNNECESSARY_DEBUG_FORMATTING_INFO,
Expand Down
30 changes: 29 additions & 1 deletion clippy_lints/src/format_args.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use arrayvec::ArrayVec;
use clippy_config::Conf;
use clippy_utils::diagnostics::{span_lint_and_sugg, span_lint_and_then};
use clippy_utils::diagnostics::{span_lint, span_lint_and_sugg, span_lint_and_then};
use clippy_utils::macros::{
FormatArgsStorage, FormatParamUsage, MacroCall, find_format_arg_expr, format_arg_removal_span,
format_placeholder_format_span, is_assert_macro, is_format_macro, is_panic, matching_root_macro_call,
Expand Down Expand Up @@ -194,12 +194,34 @@ declare_clippy_lint! {
"use of a format specifier that has no effect"
}

declare_clippy_lint! {
/// ### What it does
/// Detects [pointer format].
///
/// ### Why restrict this?
/// In kernel context, this might be vulnerable to misuse for exfiltrating
/// stack or kernel function addresses.
Comment on lines +202 to +203
Copy link
Contributor

@kpreid kpreid May 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

“…misuse for exfiltrating…” makes it sound like this is protection against attempts to insert malicious code into a project. Is auditing such code within scope for clippy? If not, it might be good to change the wording.

Also, “kernel context” isn’t very clear to people not familiar with what it’s talking about and sounds like it might be a formal or common Rust term, which it is not. How about something more like “In (projects|codebases|crates) such as operating system kernels,”?

///
/// ### Example
/// ```no_run
/// let foo = &0_u32;
/// println!("{:p}", foo);
/// ```
///
/// [pointer format]: https://doc.rust-lang.org/std/fmt/index.html#formatting-traits
#[clippy::version = "1.88.0"]
pub POINTER_FORMAT,
restriction,
"use of a pointer format specifier"
}

impl_lint_pass!(FormatArgs<'_> => [
FORMAT_IN_FORMAT_ARGS,
TO_STRING_IN_FORMAT_ARGS,
UNINLINED_FORMAT_ARGS,
UNNECESSARY_DEBUG_FORMATTING,
UNUSED_FORMAT_SPECS,
POINTER_FORMAT,
]);

#[allow(clippy::struct_field_names)]
Expand Down Expand Up @@ -280,6 +302,12 @@ impl<'tcx> FormatArgsExpr<'_, 'tcx> {
let name = self.cx.tcx.item_name(self.macro_call.def_id);
self.check_unnecessary_debug_formatting(name, arg_expr);
}

if placeholder.format_trait == FormatTrait::Pointer
&& let Some(span) = placeholder.span
{
span_lint(self.cx, POINTER_FORMAT, span, "pointer formatting detected");
}
}
}
}
Expand Down
12 changes: 12 additions & 0 deletions tests/ui/pointer_format.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#![warn(clippy::pointer_format)]

fn main() {
let m = &(main as fn());
let g = &0;
let o = &format!("{m:p}");
//~^ pointer_format
println!("{g:p}");
//~^ pointer_format
panic!("{o:p}");
//~^ pointer_format
}
23 changes: 23 additions & 0 deletions tests/ui/pointer_format.stderr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
error: pointer formatting detected
--> tests/ui/pointer_format.rs:6:23
|
LL | let o = &format!("{m:p}");
| ^^^^^
|
= note: `-D clippy::pointer-format` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(clippy::pointer_format)]`

error: pointer formatting detected
--> tests/ui/pointer_format.rs:8:15
|
LL | println!("{g:p}");
| ^^^^^

error: pointer formatting detected
--> tests/ui/pointer_format.rs:10:13
|
LL | panic!("{o:p}");
| ^^^^^

error: aborting due to 3 previous errors